EP4350549A1 - Calculator system and cyber security information evaluation method - Google Patents
Calculator system and cyber security information evaluation method Download PDFInfo
- Publication number
- EP4350549A1 EP4350549A1 EP22764988.6A EP22764988A EP4350549A1 EP 4350549 A1 EP4350549 A1 EP 4350549A1 EP 22764988 A EP22764988 A EP 22764988A EP 4350549 A1 EP4350549 A1 EP 4350549A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- security information
- cyber security
- evaluation
- richness
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011156 evaluation Methods 0.000 title claims abstract description 170
- 238000000605 extraction Methods 0.000 claims 1
- 238000012545 processing Methods 0.000 description 42
- 230000006870 function Effects 0.000 description 19
- 238000004364 calculation method Methods 0.000 description 16
- 238000007781 pre-processing Methods 0.000 description 16
- 238000000034 method Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 101000587556 Homo sapiens Metallothionein-4 Proteins 0.000 description 2
- 102100031177 Metallothionein-4 Human genes 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 229940049705 immune stimulating antibody conjugate Drugs 0.000 description 1
- 238000010348 incorporation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000013515 script Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
Definitions
- This invention relates to a system and a method which determine a value of cyber security information.
- a cyber attack information processing program causes a computer to execute storing processing and updating processing.
- the storing processing when information on a cyber attack is acquired, the information on the cyber attack is stored in a storage unit in association with reliability based on an acquisition source of the information on the cyber attack.
- the updating processing when it is detected that posted information corresponding to the information on the cyber attack is uploaded from an information processing terminal, the reliability associated with the information on the cyber attack is updated in accordance with reliability relating to the posted information.”
- the value of the cyber security information is low.
- the disclosure target of the cyber security information is the medical field but the analysis target is the automobile field
- the value is low.
- the disclosure target of the cyber security information is a product A but the analysis target is a product B.
- This invention is to provide a system and a method which evaluate richness of contents of cyber security information in consideration of a target, and automatically determine a value of the cyber security information.
- a computer system comprises: at least one computer; a freshness evaluation module configured to evaluate freshness of cyber security information; a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information; a richness evaluation module configured to evaluate richness of a content of the cyber security information; and a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module.
- the richness evaluation module is configured to: identify a target of application of the cyber security information; and evaluate the richness of the content of the cyber security information in the identified target.
- FIG. 1 is a diagram for illustrating a configuration example of a system according to a first embodiment of this invention.
- FIG. 2 is a diagram for illustrating a configuration example of each computer included in the system according to the first embodiment.
- a system 100 is a system which evaluates a value of information collected from information sources (providers) such as SNSs, Webs, and organizations, and is formed of at least one computer 200.
- the system 100 may include a storage system, a network switch, a gateway, and the like.
- a type and contents of the information to be collected are not limited in this invention.
- the processor 201 is an arithmetic device which executes a program stored in the main storage device 203.
- the processor 201 executes processing in accordance with the program, to thereby operate as a function module (module) for implementing a specific function.
- a function module module
- the description indicates that the processor 201 is executing the program for implementing the function module.
- the network interface 202 is an interface for communication to and from an external device via a network.
- the main storage device 203 is a storage device which stores programs executed by the processor 201 and information used by the programs, and is, for example, a dynamic random access memory (DRAM).
- the main storage device 203 is used also as a work area.
- the secondary storage device 204 is a storage device which permanently stores information, and is, for example, a hard disk drive (HDD), a solid state drive (SSD), or the like.
- the programs and information stored in the main storage device 203 may be stored in the secondary storage device 204.
- the processor 201 reads out the programs and information from the secondary storage device 204, and loads the programs and information onto the main storage device 203.
- the system 100 includes an input module 110, a preprocessing module 111, a freshness evaluation module 112, a reliability evaluation module 113, a target determination module 114, a richness evaluation module 115, a total evaluation value calculation module 116, a value evaluation module 117, and an output module 118. Moreover, the system 100 holds an information source DB 120, a plurality of structured DBs 121, and a collection information DB 122.
- the information source DB 120 is a database which manages information on information sources.
- data including, for example, types of information sources and names and the like of organizations and the like being the information sources is stored.
- the types of information sources are, for example, the Auto-ISAC and SNS.
- the structured DB 121 is a database which manages words used in a target (a field, a product, or the like). In this embodiment, it is assumed that one structured DB 121 exists for one target. The system 100 manages the target and the structured DB 121 in association with each other. In the structured DB 121, data including, for example, words and categories is stored.
- the categories may have a hierarchical structure such as large categories, medium categories, and small categories. For example, in a case of categories of the security, the larger category is "security,” and the medium categories are "attack source,” "countermeasure,” and the like.
- the system 100 may hold a structured DB 121 which belongs to none of the targets.
- the collection information DB 122 is a database which manages cyber security information input to the system 100.
- cyber security information having an ID assigned thereto is stored.
- the cyber security information in this embodiment includes a document formed of character strings.
- the cyber security information may include images and graphs, for example.
- the input module 110 receives input of the cyber security information and information to be used for processing such as threshold values.
- the input module 110 provides an interface for receiving input of the various types of setting information.
- the input module 110 outputs the cyber security information to the preprocessing module 111, and stores the cyber security information having the ID assigned thereto in the collection information DB 122.
- the input module 110 outputs the setting information to be used for the processing such as the threshold values to each function module. In FIG. 1 , the input module 110 outputs, to the value evaluation module 117, a threshold value for selecting valuable cyber security information.
- the preprocessing module 111 executes preprocessing for the cyber security information.
- the preprocessing is, for example, conversion, formatting, coupling, and normalization of data.
- the freshness evaluation module 112 evaluates freshness of the cyber security information based on a date of creation, a date of update, a frequency of update, and the like of the cyber security information, to thereby calculate a freshness evaluation value.
- the reliability evaluation module 113 evaluates a level of reliability of the information source of the cyber security information based on the information source and the like of the cyber security information, to thereby calculate a reliability evaluation value.
- the target determination module 114 determines a target of application of the cyber security information through use of the structured DBs 121.
- the richness evaluation module 115 evaluates richness of contents of the cyber security information in any target, to thereby calculate a richness evaluation value.
- the total evaluation value calculation module 116 calculates a total evaluation value through use of the freshness evaluation value, the reliability evaluation value, and the richness evaluation value.
- the value evaluation module 117 uses the total evaluation value to select cyber security information having a high value for the target determined by the target determination module 114.
- the output module 118 outputs, as evaluation information, information on the cyber security information selected by the value evaluation module 117.
- the output module 118 provides an interface for displaying the evaluation information.
- a plurality of function modules may be combined into one function module, or one function module may be divided into a plurality of function modules each corresponding to a relevant function.
- the richness evaluation module 115 may have the function of the target determination module 114.
- the value evaluation module 117 may have the function of the total evaluation value calculation module 116.
- FIG. 3 is a flowchart for illustrating an example of registration processing for the structured DB 121 executed by the system 100 according to the first embodiment.
- FIG. 4 is a view for illustrating an example of a screen presented by the system 100 according to the first embodiment.
- a user uses a terminal or the like to access the system 100, to thereby transmit a registration start request for a structured DB 121.
- the input module 110 of the system 100 receives this registration start request, the input module 110 presents a screen 400 of FIG. 4 (Step S101).
- the screen 400 includes a target input field 401, a DB input field 402, and a registration button 403.
- the target input field 401 is a field for inputting a target of the structured DB 121.
- the DB input field 402 is a field for inputting the structured DB 121.
- a file which is a substance of the structured DB 121 or a file path, a URL, or the like of the structured DB 121 is input.
- the registration button 403 is an operation button for registering the structured DB 121. In a case where the user inputs data into the target input field 401 and the DB input field 402, and operates the registration button 403, a registration request is transmitted to the system 100.
- the input module 110 registers the structured DB 121 in association with the target (Step S102).
- FIG. 5 is a flowchart for illustrating an example of cyber security information evaluation processing executed by the system 100 according to the first embodiment.
- FIG. 6 is a view for illustrating an example of a screen presented by the system 100 according to the first embodiment.
- FIG. 7 , FIG. 8 , and FIG. 9 are tables for showing examples of information to be used by the system 100 according to the first embodiment in the cyber security information evaluation processing.
- the user uses a terminal or the like to access the system 100, to thereby transmit an evaluation start request for cyber security information.
- the input module 110 of the system 100 receives this evaluation start request, the input module 110 presents a screen 600 of FIG. 6 (Step S201).
- the screen 600 includes a cyber security information input field 601, an addition button 602, and an evaluation button 603.
- the cyber security information input field 601 is a field for inputting the cyber security information to be evaluated.
- a file which is a substance of the cyber security information or a file path, a URL, or the like of the cyber security information is input.
- the addition button 602 is an operation button for adding the cyber security information input field 601.
- the evaluation button 603 is an operation button for evaluating the cyber security information. In a case where the user inputs data into the cyber security information input field 601, and operates the evaluation button 603, an evaluation request is transmitted to the system 100.
- the input module 110 In a case where the input module 110 receives the evaluation request, the input module 110 stores the cyber security information input by the user in the collection information DB 122 (Step S202), and outputs the cyber security information to the preprocessing module 111.
- the preprocessing module 111 executes preprocessing for the cyber security information (Step S203).
- a content of the preprocessing to be executed is not limited in this invention. Moreover, the preprocessing is not required be executed.
- Step S204 loop processing for the cyber security information is started (Step S204). Specifically, the preprocessing module 111 selects one piece of cyber security information, and outputs the selected cyber security information to the freshness evaluation module 112, the reliability evaluation module 113, and the target determination module 114.
- the freshness evaluation module 112 calculates a freshness evaluation value Cj indicating the freshness of the cyber security information based on the date of creation, the date of update, the number of times of update, and the like of the cyber security information (Step S205), and outputs the freshness evaluation value Cj to the total evaluation value calculation module 116.
- the evaluation method for the freshness it is only required to use a publicly-known technology, and hence a detailed description thereof is omitted.
- the target determination module 114 executes target determination processing (Step S207). Specifically, the following processing is executed.
- Step S207-1 The target determination module 114 selects one target, and refers to the structured DB 121 corresponding to this target. At this time, the target determination module 114 registers an entry in intermediate information 700.
- the intermediate information 700 stores entries each formed of an information ID 701 and a relevance degree 702.
- the information ID 701 is a field for storing the ID of the cyber security information.
- the relevance degree 702 is a field group for storing relevance degrees each indicating relevance of the cyber security information to a target.
- the relevance degree 702 includes one or more columns of the targets.
- the correlation degree 702 of the added entry is blank.
- the target determination module 114 uses the structured DB 121 to analyze documents included in the cyber security information, to thereby extracts topics relating to the selected target.
- the target determination module 114 calculates the relevance degree indicating the relevance of the cyber security information to the selected target based on the number of extracted topics, contents, and the like.
- the target determination module 114 refers to the relevance degree 702 of the entry added to the intermediate information 700, and stores the relevance degree in the column of the selected target.
- the calculation method for the relevance degree is an example, and the calculation method is not limited to this example.
- the calculation method may be a method of calculating the relevance degree by inputting documents into a model generated through machine learning.
- Step S207-3 The target determination module 114 determines whether or not the processing is completed for all of the targets. In a case where the processing has not been completed for all of the targets, the process returns to Step S207-1, and the target determination module 114 executes similar processing.
- Step S207-4 In a case where the processing has been completed for all of the targets, the target determination module 114 refers to the intermediate information 700, to thereby select a target having the highest relevance degree, and outputs identification information on the selected target to the richness evaluation module 115. After that, the target determination module 114 finishes the target determination processing.
- the target determination module 114 may ask the user for selection of the target through the output module 118, or may select the plurality of targets. Moreover, the target determination module 114 may output, to the richness evaluation module 115, a value indicating that the cyber security information belongs to none of the targets.
- the user may specify, in advance, a type of targets to be determined by the target determination module 114.
- the richness evaluation module 115 calculates a richness evaluation value C 3 indicating the richness of the contents of the cyber security information in the target selected by the target determination module 114 (Step S208), and outputs the richness evaluation value C 3 to the total evaluation value calculation module 116. Specifically, the following processing is executed.
- Step S208-1) The richness evaluation module 115 adds an entry to intermediate information 800.
- the intermediate information 800 stores entries each formed of an information ID 801, a target 802, and an item count 803.
- the information ID 801 is a field for storing the ID of the cyber security information.
- the target 802 is a field for storing identification information on the target. In the target 802, a name, an identification number, or the like of the target is stored.
- the item count 803 is a field group for storing numbers of items relevant to the target in the cyber security information. In the item count 803, the number of items is managed for each category. When the category is hierarchical, the numbers of items is managed in each intermediate category as a unit or each small category as a unit. In the intermediate information 800 of FIG. 8 , the numbers of items are managed in each intermediate category as a unit.
- the richness evaluation module 115 adds as many entries as the number of categories.
- Step S208-2 The richness evaluation module 115 uses the structured DB 121 corresponding to the selected target to count the number of items (character strings such as words) in each category, and stores the number in the item count 803 of the entry of the intermediate information 800.
- N i represents a total number of words in the category " i " registered in the structured DB 121.
- a i represents the number of words in the category "i” included in the cyber security information.
- the symbol p i represents a weight for the category " i .” It is assumed that the weight p i is set in advance. The user can set the weight p i to any value. It is possible to adjust the weight, to thereby evaluate the richness of the content of the cyber security information relating to a category of interest. In a case where the number of categories is two, any " p " may be used to set pi to p , and p 2 to 1- p .
- the richness evaluation module 115 outputs the richness evaluation value C 3 along with the identification information on each target.
- the richness evaluation module 115 uses the structured DB 121 depending on none of the targets to calculate the richness evaluation value C 3 .
- the total evaluation value calculation module 116 calculates a total evaluation value (Step S209). Specifically, the following processing is executed.
- Step S209-1 The total evaluation value calculation module 116 adds an entry to intermediate information 900.
- the intermediate information 900 stores entries each formed of an information ID 901, a target 902, a freshness 903, a reliability 904, a richness 905, and a total evaluation 906.
- the information ID 901 is a field for storing the ID of the cyber security information.
- the target 902 is a field for storing identification information on the target.
- the freshness 903 is a field for storing the freshness evaluation value C 1 .
- the reliability 904 is a field for storing the reliability evaluation value C 2 .
- the richness 905 is a field for storing the richness evaluation value C 3 .
- the total evaluation 906 is a field for storing the total evaluation value.
- the total evaluation 906 of the added entry of the intermediate information 900 is blank.
- Step S209-3 The total evaluation value calculation module 116 notifies the preprocessing module 111 of the completion of the processing.
- the preprocessing module 111 determines whether or not the processing has been completed for all of the pieces of cyber security information input by the user (Step S210).
- the process returns to Step S204, and the preprocessing module 111 executes similar processing.
- the preprocessing module 111 instructs the total evaluation value calculation module 116 to output the intermediate information 900.
- the total evaluation value calculation module 116 which has received this instruction, outputs the intermediate information 900 to the value evaluation module 117.
- the value evaluation module 117 In a case where the intermediate information 900 is input, the value evaluation module 117 generates the evaluation information based on the intermediate information 900 (Step S211), and outputs the evaluation information to the output module 118. Specifically, the following processing is executed.
- Step S211-1) The value evaluation module 117 selects one target.
- Step S211-2 The value evaluation module 117 searches for an entry of the intermediate information 900 that stores, in the target 902, the identification information on the selected target.
- Step S211-3 The value evaluation module 117 compares the total evaluation value stored in the total evaluation 906 of the retrieved entry and the threshold value with each other, to thereby determine whether or not the cyber security information corresponding to the retrieved entry has a high value in the target corresponding to the retrieved entry. For example, in a case where the total evaluation value is larger than the threshold value, the value evaluation module 117 determines that the value of the cyber security information is high in the target.
- the value evaluation module 117 deletes, from the intermediate information 900, entries of the cyber security information each having a low value. The value evaluation module 117 is not required to delete the entry. It is possible to reconsider data included in cyber security information by presenting that the value of this cyber security information is low for a certain target.
- Step S211-4 The value evaluation module 117 determines whether or not the processing is completed for all of the targets.
- the process returns to Step S211-1, and the value evaluation module 117 executes similar processing.
- the value evaluation module 117 generates the intermediate information 900 as the evaluation information.
- the output module 118 presents the evaluation information to the user (Step S212).
- Step S205, Step S206, Step S207, and Step S208 may be executed in a different order or in parallel.
- the user can identify cyber security information having high values for the intended targets by referring the evaluation information. Moreover, the user can recognize for which target each piece of cyber security information is valuable by referring the evaluation information.
- the user when technical fields are set as the targets, the user can recognize the value of cyber security information for each of the technical fields. Moreover, the user can identify cyber security information having a high value in a specific technical field. For example, when products are set as the targets, the user can recognize the value of cyber security information for each of the products. Moreover, the user can identify cyber security information having a high value for a specific product.
- the present invention is not limited to the above embodiment and includes various modification examples.
- the configurations of the above embodiment are described in detail so as to describe the present invention comprehensibly.
- the present invention is not necessarily limited to the embodiment that is provided with all of the configurations described.
- a part of each configuration of the embodiment may be removed, substituted, or added to other configurations.
- a part or the entirety of each of the above configurations, functions, processing units, processing means, and the like may be realized by hardware, such as by designing integrated circuits therefor.
- the present invention can be realized by program codes of software that realizes the functions of the embodiment.
- a storage medium on which the program codes are recorded is provided to a computer, and a CPU that the computer is provided with reads the program codes stored on the storage medium.
- the program codes read from the storage medium realize the functions of the above embodiment, and the program codes and the storage medium storing the program codes constitute the present invention.
- Examples of such a storage medium used for supplying program codes include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, a solid state drive (SSD), an optical disc, a magneto-optical disc, a CD-R, a magnetic tape, a non-volatile memory card, and a ROM.
- SSD solid state drive
- the program codes that realize the functions written in the present embodiment can be implemented by a wide range of programming and scripting languages such as assembler, C/C++, Perl, shell scripts, PHP, Python and Java.
- the program codes of the software that realizes the functions of the embodiment are stored on storing means such as a hard disk or a memory of the computer or on a storage medium such as a CD-RW or a CD-R by distributing the program codes through a network and that the CPU that the computer is provided with reads and executes the program codes stored on the storing means or on the storage medium.
- control lines and information lines that are considered as necessary for description are illustrated, and all the control lines and information lines of a product are not necessarily illustrated. All of the configurations of the embodiment may be connected to each other.
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- Economics (AREA)
- Marketing (AREA)
- General Business, Economics & Management (AREA)
- Strategic Management (AREA)
- Computing Systems (AREA)
- Human Resources & Organizations (AREA)
- Primary Health Care (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Development Economics (AREA)
- Educational Administration (AREA)
- Entrepreneurship & Innovation (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
A computer system comprises a freshness evaluation module configured to evaluate freshness of cyber security information; a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information; a richness evaluation module configured to evaluate richness of a content of the cyber security information; and a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module. The richness evaluation module is configured to: identify a target of application of the cyber security information; and evaluate the richness of the content of the cyber security information in the identified target.
Description
- The present application claims priority to
Japanese Patent Application No. 2021-87011 filed on May 24, 2021 - This invention relates to a system and a method which determine a value of cyber security information.
- In recent years, importance of countermeasures against cyber attacks has increased. For example, in ISO 21434 being an international standard relating to cyber security for vehicles, long-term cyber security policies are required more as digitization of control systems for vehicles have progressed.
- In the cyber security policies, it is required to collect and analyze information (cyber security information) on threat, vulnerability, and the like. The collection and the analysis of the information are executed by, for example, a product security incident response team (PSIRT).
- In recent years, an infrastructure for sharing the cyber security information has been built. There exist systems and tools which automatically collect the cyber security information from this infrastructure. However, it is required to manually determine a value of the collected cyber security information, and there is a problem in that man-hours required for the check are large. Thus, a system which automatically evaluates the cyber security information is required. For this purpose, there are known technologies as described in
JP 2019-101672 A - In
JP 2019-101672 A - In Lei Li, Xiaoyong Li, Y. Gao, "MTIV: A Trustworthiness Determination Approach for Threat Intelligence," Security, Privacy, and Anonymity in Computation, Communication, and Storage, pp. 5-14, there is described a method of calculating trustworthiness of information based on similarity in an information source, times such as publication date and time and update date and time, and information.
- Even when the information source is reliable and contents are accurate, in a case in which targets, such as a field and a product, of disclosure targets of the cyber security information are not relevant to targets, such as a field and a product, of analysis targets, the value of the cyber security information is low. For example, in a case in which the disclosure target of the cyber security information is the medical field but the analysis target is the automobile field, even when an information source of this cyber security information is reliable and accurate contents are described, the value is low. Moreover, the same is true for a case in which the disclosure target of the cyber security information is a product A but the analysis target is a product B.
- However, in the related art, richness of the contents of the cyber security information is not evaluated in consideration of the target, and hence the information cannot be narrowed down as described above.
- This invention is to provide a system and a method which evaluate richness of contents of cyber security information in consideration of a target, and automatically determine a value of the cyber security information.
- A representative example of the present invention disclosed in this specification is as follows: a computer system comprises: at least one computer; a freshness evaluation module configured to evaluate freshness of cyber security information; a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information; a richness evaluation module configured to evaluate richness of a content of the cyber security information; and a value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module. The richness evaluation module is configured to: identify a target of application of the cyber security information; and evaluate the richness of the content of the cyber security information in the identified target.
- According to this invention, it is possible to evaluate the richness of the contents of the cyber security information in consideration of the target, and to automatically determine the value of the cyber security information. Other problems, configurations, and effects than those described above will become apparent in the descriptions of embodiments below.
- The present invention can be appreciated by the description which follows in conjunction with the following figures, wherein:
-
FIG. 1 is a diagram for illustrating a configuration example of a system according to a first embodiment of this invention; -
FIG. 2 is a diagram for illustrating a configuration example of each computer included in the system according to the first embodiment; -
FIG. 3 is a flowchart for illustrating an example of registration processing for a structured DB executed by the system according to the first embodiment; -
FIG. 4 is a view for illustrating an example of a screen presented by the system according to the first embodiment; -
FIG. 5 is a flowchart for illustrating an example of cyber security information evaluation processing executed by the system according to the first embodiment; -
FIG. 6 is a view for illustrating an example of a screen presented by the system according to the first embodiment; and -
FIG. 7 ,FIG. 8 , andFIG. 9 are tables for showing examples of information to be used by the system according to the first embodiment in the cyber security information evaluation processing. - Now, a description is given of an embodiment of this invention referring to the drawings. It should be noted that this invention is not to be construed by limiting the invention to the content described in the following embodiment. A person skilled in the art would easily recognize that a specific configuration described in the following embodiment may be changed within the scope of the concept and the gist of this invention.
- In a configuration of this invention described below, the same or similar components or functions are assigned with the same reference numerals, and a redundant description thereof is omitted here.
- Notations of, for example, "first", "second", and "third" herein are assigned to distinguish between components, and do not necessarily limit the number or order of those components.
- The position, size, shape, range, and others of each component illustrated in, for example, the drawings may not represent the actual position, size, shape, range, and other metrics in order to facilitate understanding of this invention. Thus, this invention is not limited to the position, size, shape, range, and others described in, for example, the drawings.
-
FIG. 1 is a diagram for illustrating a configuration example of a system according to a first embodiment of this invention.FIG. 2 is a diagram for illustrating a configuration example of each computer included in the system according to the first embodiment. - A
system 100 is a system which evaluates a value of information collected from information sources (providers) such as SNSs, Webs, and organizations, and is formed of at least onecomputer 200. Thesystem 100 may include a storage system, a network switch, a gateway, and the like. - In this embodiment, it is assumed that cyber security information is collected. A type and contents of the information to be collected are not limited in this invention.
- As illustrated in
FIG. 2 , thecomputer 200 includes aprocessor 201, anetwork interface 202, amain storage device 203, and asecondary storage device 204. Thecomputer 200 may include an input device such as a keyboard, a mouse, and a touch panel and an output device such as a display. - The
processor 201 is an arithmetic device which executes a program stored in themain storage device 203. Theprocessor 201 executes processing in accordance with the program, to thereby operate as a function module (module) for implementing a specific function. In the following description, when the processing is described with a function module as the subject, the description indicates that theprocessor 201 is executing the program for implementing the function module. - The
network interface 202 is an interface for communication to and from an external device via a network. - The
main storage device 203 is a storage device which stores programs executed by theprocessor 201 and information used by the programs, and is, for example, a dynamic random access memory (DRAM). Themain storage device 203 is used also as a work area. Thesecondary storage device 204 is a storage device which permanently stores information, and is, for example, a hard disk drive (HDD), a solid state drive (SSD), or the like. - The programs and information stored in the
main storage device 203 may be stored in thesecondary storage device 204. In this case, theprocessor 201 reads out the programs and information from thesecondary storage device 204, and loads the programs and information onto themain storage device 203. - The
system 100 includes an input module 110, apreprocessing module 111, afreshness evaluation module 112, areliability evaluation module 113, atarget determination module 114, arichness evaluation module 115, a total evaluationvalue calculation module 116, avalue evaluation module 117, and an output module 118. Moreover, thesystem 100 holds aninformation source DB 120, a plurality of structuredDBs 121, and a collection information DB 122. - The
information source DB 120 is a database which manages information on information sources. In theinformation source DB 120, data including, for example, types of information sources and names and the like of organizations and the like being the information sources is stored. The types of information sources are, for example, the Auto-ISAC and SNS. - The
structured DB 121 is a database which manages words used in a target (a field, a product, or the like). In this embodiment, it is assumed that onestructured DB 121 exists for one target. Thesystem 100 manages the target and thestructured DB 121 in association with each other. In thestructured DB 121, data including, for example, words and categories is stored. The categories may have a hierarchical structure such as large categories, medium categories, and small categories. For example, in a case of categories of the security, the larger category is "security," and the medium categories are "attack source," "countermeasure," and the like. - The
system 100 may hold astructured DB 121 which belongs to none of the targets. - The collection information DB 122 is a database which manages cyber security information input to the
system 100. In the collection information DB 122, for example, cyber security information having an ID assigned thereto is stored. - It is assumed that the cyber security information in this embodiment includes a document formed of character strings. However, the cyber security information may include images and graphs, for example.
- The input module 110 receives input of the cyber security information and information to be used for processing such as threshold values. The input module 110 provides an interface for receiving input of the various types of setting information. The input module 110 outputs the cyber security information to the
preprocessing module 111, and stores the cyber security information having the ID assigned thereto in the collection information DB 122. The input module 110 outputs the setting information to be used for the processing such as the threshold values to each function module. InFIG. 1 , the input module 110 outputs, to thevalue evaluation module 117, a threshold value for selecting valuable cyber security information. - The
preprocessing module 111 executes preprocessing for the cyber security information. The preprocessing is, for example, conversion, formatting, coupling, and normalization of data. - The
freshness evaluation module 112 evaluates freshness of the cyber security information based on a date of creation, a date of update, a frequency of update, and the like of the cyber security information, to thereby calculate a freshness evaluation value. Thereliability evaluation module 113 evaluates a level of reliability of the information source of the cyber security information based on the information source and the like of the cyber security information, to thereby calculate a reliability evaluation value. - The
target determination module 114 determines a target of application of the cyber security information through use of the structuredDBs 121. Therichness evaluation module 115 evaluates richness of contents of the cyber security information in any target, to thereby calculate a richness evaluation value. - The total evaluation
value calculation module 116 calculates a total evaluation value through use of the freshness evaluation value, the reliability evaluation value, and the richness evaluation value. Thevalue evaluation module 117 uses the total evaluation value to select cyber security information having a high value for the target determined by thetarget determination module 114. - The output module 118 outputs, as evaluation information, information on the cyber security information selected by the
value evaluation module 117. The output module 118 provides an interface for displaying the evaluation information. - Regarding the respective function modules of the
system 100, a plurality of function modules may be combined into one function module, or one function module may be divided into a plurality of function modules each corresponding to a relevant function. For example, therichness evaluation module 115 may have the function of thetarget determination module 114. Moreover, thevalue evaluation module 117 may have the function of the total evaluationvalue calculation module 116. - A specific description is now given of processing executed by the
system 100. -
FIG. 3 is a flowchart for illustrating an example of registration processing for thestructured DB 121 executed by thesystem 100 according to the first embodiment.FIG. 4 is a view for illustrating an example of a screen presented by thesystem 100 according to the first embodiment. - A user uses a terminal or the like to access the
system 100, to thereby transmit a registration start request for astructured DB 121. In a case where the input module 110 of thesystem 100 receives this registration start request, the input module 110 presents ascreen 400 ofFIG. 4 (Step S101). - The
screen 400 includes a target input field 401, a DB input field 402, and aregistration button 403. The target input field 401 is a field for inputting a target of thestructured DB 121. The DB input field 402 is a field for inputting thestructured DB 121. Into the DB input field 402, a file which is a substance of thestructured DB 121 or a file path, a URL, or the like of the structuredDB 121 is input. Theregistration button 403 is an operation button for registering thestructured DB 121. In a case where the user inputs data into the target input field 401 and the DB input field 402, and operates theregistration button 403, a registration request is transmitted to thesystem 100. - In a case where the input module 110 receives the registration request, the input module 110 registers the
structured DB 121 in association with the target (Step S102). -
FIG. 5 is a flowchart for illustrating an example of cyber security information evaluation processing executed by thesystem 100 according to the first embodiment.FIG. 6 is a view for illustrating an example of a screen presented by thesystem 100 according to the first embodiment.FIG. 7 ,FIG. 8 , andFIG. 9 are tables for showing examples of information to be used by thesystem 100 according to the first embodiment in the cyber security information evaluation processing. - The user uses a terminal or the like to access the
system 100, to thereby transmit an evaluation start request for cyber security information. In a case where the input module 110 of thesystem 100 receives this evaluation start request, the input module 110 presents ascreen 600 ofFIG. 6 (Step S201). - The
screen 600 includes a cyber securityinformation input field 601, anaddition button 602, and an evaluation button 603. The cyber securityinformation input field 601 is a field for inputting the cyber security information to be evaluated. Into the cyber securityinformation input field 601, a file which is a substance of the cyber security information or a file path, a URL, or the like of the cyber security information is input. Theaddition button 602 is an operation button for adding the cyber securityinformation input field 601. The evaluation button 603 is an operation button for evaluating the cyber security information. In a case where the user inputs data into the cyber securityinformation input field 601, and operates the evaluation button 603, an evaluation request is transmitted to thesystem 100. - In a case where the input module 110 receives the evaluation request, the input module 110 stores the cyber security information input by the user in the collection information DB 122 (Step S202), and outputs the cyber security information to the
preprocessing module 111. - The
preprocessing module 111 executes preprocessing for the cyber security information (Step S203). A content of the preprocessing to be executed is not limited in this invention. Moreover, the preprocessing is not required be executed. - After that, loop processing for the cyber security information is started (Step S204). Specifically, the
preprocessing module 111 selects one piece of cyber security information, and outputs the selected cyber security information to thefreshness evaluation module 112, thereliability evaluation module 113, and thetarget determination module 114. - The
freshness evaluation module 112 calculates a freshness evaluation value Cj indicating the freshness of the cyber security information based on the date of creation, the date of update, the number of times of update, and the like of the cyber security information (Step S205), and outputs the freshness evaluation value Cj to the total evaluationvalue calculation module 116. As the evaluation method for the freshness, it is only required to use a publicly-known technology, and hence a detailed description thereof is omitted. - The
reliability evaluation module 113 calculates a reliability evaluation value C2 indicating the level of the reliability of the information source of the cyber security information based on the information on the information source of the cyber security information and the information source DB 120 (Step S206), and outputs the reliability evaluation value C2 to the total evaluationvalue calculation module 116. As the evaluation method for the reliability of the information source, it is only required to use a publicly-known technology, and hence a detailed description thereof is omitted. - The
target determination module 114 executes target determination processing (Step S207). Specifically, the following processing is executed. - (Step S207-1) The
target determination module 114 selects one target, and refers to the structuredDB 121 corresponding to this target. At this time, thetarget determination module 114 registers an entry inintermediate information 700. - The
intermediate information 700 stores entries each formed of aninformation ID 701 and arelevance degree 702. Theinformation ID 701 is a field for storing the ID of the cyber security information. Therelevance degree 702 is a field group for storing relevance degrees each indicating relevance of the cyber security information to a target. Therelevance degree 702 includes one or more columns of the targets. - At this time point, the
correlation degree 702 of the added entry is blank. - (Step S207-2) The
target determination module 114 uses thestructured DB 121 to analyze documents included in the cyber security information, to thereby extracts topics relating to the selected target. Thetarget determination module 114 calculates the relevance degree indicating the relevance of the cyber security information to the selected target based on the number of extracted topics, contents, and the like. Thetarget determination module 114 refers to therelevance degree 702 of the entry added to theintermediate information 700, and stores the relevance degree in the column of the selected target. - The calculation method for the relevance degree is an example, and the calculation method is not limited to this example. The calculation method may be a method of calculating the relevance degree by inputting documents into a model generated through machine learning.
- (Step S207-3) The
target determination module 114 determines whether or not the processing is completed for all of the targets. In a case where the processing has not been completed for all of the targets, the process returns to Step S207-1, and thetarget determination module 114 executes similar processing. - (Step S207-4) In a case where the processing has been completed for all of the targets, the
target determination module 114 refers to theintermediate information 700, to thereby select a target having the highest relevance degree, and outputs identification information on the selected target to therichness evaluation module 115. After that, thetarget determination module 114 finishes the target determination processing. - In a case where there exist a plurality of targets which have large relevance degrees and are different from one another by small amounts, the
target determination module 114 may ask the user for selection of the target through the output module 118, or may select the plurality of targets. Moreover, thetarget determination module 114 may output, to therichness evaluation module 115, a value indicating that the cyber security information belongs to none of the targets. - The user may specify, in advance, a type of targets to be determined by the
target determination module 114. - Description has been given of the processing step of Step S207.
- The
richness evaluation module 115 calculates a richness evaluation value C3 indicating the richness of the contents of the cyber security information in the target selected by the target determination module 114 (Step S208), and outputs the richness evaluation value C3 to the total evaluationvalue calculation module 116. Specifically, the following processing is executed. - (Step S208-1) The
richness evaluation module 115 adds an entry tointermediate information 800. - The
intermediate information 800 stores entries each formed of aninformation ID 801, atarget 802, and anitem count 803. One entry exists for a combination of the cyber security information and the target. Theinformation ID 801 is a field for storing the ID of the cyber security information. Thetarget 802 is a field for storing identification information on the target. In thetarget 802, a name, an identification number, or the like of the target is stored. Theitem count 803 is a field group for storing numbers of items relevant to the target in the cyber security information. In theitem count 803, the number of items is managed for each category. When the category is hierarchical, the numbers of items is managed in each intermediate category as a unit or each small category as a unit. In theintermediate information 800 ofFIG. 8 , the numbers of items are managed in each intermediate category as a unit. - At this time point, the
item count 803 of the added entry is blank. - In a case where a plurality of categories are input, the
richness evaluation module 115 adds as many entries as the number of categories. - (Step S208-2) The
richness evaluation module 115 uses thestructured DB 121 corresponding to the selected target to count the number of items (character strings such as words) in each category, and stores the number in theitem count 803 of the entry of theintermediate information 800. -
- In this expression, "i" is a character indicating the type of the category. In this embodiment, it is assumed that an integer is assigned to each category. Ni represents a total number of words in the category "i" registered in the
structured DB 121. Ai represents the number of words in the category "i" included in the cyber security information. The symbol pi represents a weight for the category "i." It is assumed that the weight pi is set in advance. The user can set the weight pi to any value. It is possible to adjust the weight, to thereby evaluate the richness of the content of the cyber security information relating to a category of interest. In a case where the number of categories is two, any "p" may be used to set pi to p, and p2 to 1-p. - In a case where a plurality of targets are selected, the richness of the contents of the cyber security information is calculated for each of the targets. In this case, the
richness evaluation module 115 outputs the richness evaluation value C3 along with the identification information on each target. - In a case where the value indicating that the cyber security information belongs to none of the targets is input, the
richness evaluation module 115 uses thestructured DB 121 depending on none of the targets to calculate the richness evaluation value C3 . - Description has been given of the processing step of Step S208.
- In a case where the freshness evaluation value C1 , the reliability evaluation value C2 , and the richness evaluation value C3 are input, the total evaluation
value calculation module 116 calculates a total evaluation value (Step S209). Specifically, the following processing is executed. - (Step S209-1) The total evaluation
value calculation module 116 adds an entry tointermediate information 900. - The
intermediate information 900 stores entries each formed of aninformation ID 901, atarget 902, afreshness 903, areliability 904, arichness 905, and atotal evaluation 906. One entry exists for a combination of the cyber security information and the target. Theinformation ID 901 is a field for storing the ID of the cyber security information. Thetarget 902 is a field for storing identification information on the target. Thefreshness 903 is a field for storing the freshness evaluation value C1. Thereliability 904 is a field for storing the reliability evaluation value C2 . Therichness 905 is a field for storing the richness evaluation value C3 . Thetotal evaluation 906 is a field for storing the total evaluation value. - At this time point, the
total evaluation 906 of the added entry of theintermediate information 900 is blank. - In a case where a plurality of richness evaluation values C3 associated with the identification information on the targets are input, as many entries as the number of targets are added.
-
- In this expression, "q" represents a weight. It is assumed that the weight "q" is set in advance. The user can set the weight "q" to any value.
- (Step S209-3) The total evaluation
value calculation module 116 notifies thepreprocessing module 111 of the completion of the processing. - Description has been given of the processing step of Step S209.
- In a case where the
preprocessing module 111 receives the notification from the total evaluationvalue calculation module 116, thepreprocessing module 111 determines whether or not the processing has been completed for all of the pieces of cyber security information input by the user (Step S210). - In a case where the processing has not been completed for all of the pieces of cyber security information input by the user, the process returns to Step S204, and the
preprocessing module 111 executes similar processing. In a case where the processing has been completed for all of the pieces of cyber security information input by the user, thepreprocessing module 111 instructs the total evaluationvalue calculation module 116 to output theintermediate information 900. The total evaluationvalue calculation module 116, which has received this instruction, outputs theintermediate information 900 to thevalue evaluation module 117. - In a case where the
intermediate information 900 is input, thevalue evaluation module 117 generates the evaluation information based on the intermediate information 900 (Step S211), and outputs the evaluation information to the output module 118. Specifically, the following processing is executed. - (Step S211-1) The
value evaluation module 117 selects one target. - (Step S211-2) The
value evaluation module 117 searches for an entry of theintermediate information 900 that stores, in thetarget 902, the identification information on the selected target. - (Step S211-3) The
value evaluation module 117 compares the total evaluation value stored in thetotal evaluation 906 of the retrieved entry and the threshold value with each other, to thereby determine whether or not the cyber security information corresponding to the retrieved entry has a high value in the target corresponding to the retrieved entry. For example, in a case where the total evaluation value is larger than the threshold value, thevalue evaluation module 117 determines that the value of the cyber security information is high in the target. Thevalue evaluation module 117 deletes, from theintermediate information 900, entries of the cyber security information each having a low value. Thevalue evaluation module 117 is not required to delete the entry. It is possible to reconsider data included in cyber security information by presenting that the value of this cyber security information is low for a certain target. - (Step S211-4) The
value evaluation module 117 determines whether or not the processing is completed for all of the targets. - In a case where the processing has not been completed for all of the targets, the process returns to Step S211-1, and the
value evaluation module 117 executes similar processing. In a case where the processing has been completed for all of the targets, thevalue evaluation module 117 generates theintermediate information 900 as the evaluation information. - Description has been given of the processing step of Step S211.
- When the evaluation information is input, the output module 118 presents the evaluation information to the user (Step S212).
- The processing steps of Step S205, Step S206, Step S207, and Step S208 may be executed in a different order or in parallel.
- The user can identify cyber security information having high values for the intended targets by referring the evaluation information. Moreover, the user can recognize for which target each piece of cyber security information is valuable by referring the evaluation information.
- For example, when technical fields are set as the targets, the user can recognize the value of cyber security information for each of the technical fields. Moreover, the user can identify cyber security information having a high value in a specific technical field. For example, when products are set as the targets, the user can recognize the value of cyber security information for each of the products. Moreover, the user can identify cyber security information having a high value for a specific product.
- According to this embodiment, it is possible to more accurately recognize the value of cyber security information to classify the cyber security information by identifying a target in which the cyber security information is to be evaluated and evaluating the richness of contents of the cyber security information in this target.
- In a case of a system for classifying cyber security information to be analyzed, it is possible to narrow down cyber security information to cyber security information in a specific field, thereby being able to reduce man-hours required for the analysis.
- The present invention is not limited to the above embodiment and includes various modification examples. In addition, for example, the configurations of the above embodiment are described in detail so as to describe the present invention comprehensibly. The present invention is not necessarily limited to the embodiment that is provided with all of the configurations described. In addition, a part of each configuration of the embodiment may be removed, substituted, or added to other configurations.
- A part or the entirety of each of the above configurations, functions, processing units, processing means, and the like may be realized by hardware, such as by designing integrated circuits therefor. In addition, the present invention can be realized by program codes of software that realizes the functions of the embodiment. In this case, a storage medium on which the program codes are recorded is provided to a computer, and a CPU that the computer is provided with reads the program codes stored on the storage medium. In this case, the program codes read from the storage medium realize the functions of the above embodiment, and the program codes and the storage medium storing the program codes constitute the present invention. Examples of such a storage medium used for supplying program codes include a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, a solid state drive (SSD), an optical disc, a magneto-optical disc, a CD-R, a magnetic tape, a non-volatile memory card, and a ROM.
- The program codes that realize the functions written in the present embodiment can be implemented by a wide range of programming and scripting languages such as assembler, C/C++, Perl, shell scripts, PHP, Python and Java.
- It may also be possible that the program codes of the software that realizes the functions of the embodiment are stored on storing means such as a hard disk or a memory of the computer or on a storage medium such as a CD-RW or a CD-R by distributing the program codes through a network and that the CPU that the computer is provided with reads and executes the program codes stored on the storing means or on the storage medium.
- In the above embodiment, only control lines and information lines that are considered as necessary for description are illustrated, and all the control lines and information lines of a product are not necessarily illustrated. All of the configurations of the embodiment may be connected to each other.
Claims (11)
- A computer system, comprising:at least one computer;a freshness evaluation module configured to evaluate freshness of cyber security information;a reliability evaluation module configured to evaluate a level of reliability of an information source of the cyber security information;a richness evaluation module configured to evaluate richness of a content of the cyber security information; anda value evaluation module configured to evaluate a value of the cyber security information based on evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module,the richness evaluation module being configured to:identify a target of application of the cyber security information; andevaluate the richness of the content of the cyber security information in the identified target.
- The computer system according to claim 1, wherein the richness evaluation module is configured to:calculate a relevance degree indicating relevance of the cyber security information to each of a plurality of targets; andidentify the target based on the relevance degree of each of the plurality of targets.
- The computer system according to claim 2,wherein the computer system is configured to access a database which stores a character string relevant to each of the plurality of targets, andwherein the richness evaluation module is configured to evaluate the richness of the content of the cyber security information in the identified target by referring to the database to extract the character string which is included in the cyber security information and is relevant to the identified target.
- The computer system according to claim 3, wherein the value evaluation module is configured to:calculate a total evaluation value indicating a value of the cyber security information based on the evaluation results obtained by the freshness evaluation module, the reliability evaluation module, and the richness evaluation module; andselect the cyber security information to be presented to a user based on the total evaluation value.
- An evaluation method for cyber security information, which is executed by a computer system including at least one computer, the evaluation method including:a first step of evaluating, by the at least one computer, freshness of cyber security information;a second step of evaluating, by the at least one computer, a level of reliability of an information source of the cyber security information;a third step of evaluating, by the at least one computer, richness of a content of the cyber security information; anda fourth step of evaluating, by the at least one computer, a value of the cyber security information based on evaluation results of the freshness of the cyber security information, the level of the reliability of the information source of the cyber security information, and the richness of the content of the cyber security information,wherein the third step includes:a fifth step of identifying, by the at least one computer, a target of application of the cyber security information; anda sixth step of evaluating, by the at least one computer, the richness of the content of the cyber security information in the identified target.
- The evaluation method for cyber security information according to claim 5, wherein the fifth step includes the steps of:calculating, by the at least one computer, a relevance degree indicating relevance of the cyber security information to each of a plurality of targets; andidentifying, by the at least one computer, the target based on the relevance degree of each of the plurality of targets.
- The evaluation method for cyber security information according to claim 6,wherein the computer system is configured to access a database which stores a character string relevant to each of the plurality of targets, andwherein the third step includes a step of evaluating, by the at least one computer, the richness of the content of the cyber security information in the identified target by referring to the database to extract the character string which is included in the cyber security information and is relevant to the identified target.
- The evaluation method for cyber security information according to claim 7, wherein the fourth step includes the steps of:calculating, by the at least one computer, a total evaluation value indicating a value of the cyber security information based on the evaluation results of the freshness of the cyber security information, the level of the reliability of the information source of the cyber security information, and the richness of the content of the cyber security information; andselecting, by the at least one computer, the cyber security information to be presented to a user based on the total evaluation value.
- A computer system, comprising:at least one computer;a freshness evaluation module configured to calculate a freshness evaluation value indicating freshness of cyber security information;a reliability evaluation module configured to calculate a reliability evaluation value indicating a level of reliability of an information source of the cyber security information;a richness evaluation module configured to calculate a richness evaluation value indicating richness of a content of the cyber security information; anda value evaluation module configured to calculate a total evaluation value indicating a value of the cyber security information based on the freshness evaluation value, the reliability evaluation value, and the richness evaluation value,the computer system being configured to access a database which stores a character string relevant to each of a plurality of fields, andthe richness evaluation module being configured to:identify a field of application of the cyber security information;refer to the database to extract the character string which is included in the cyber security information and is relevant to the identified field; andcalculate the richness evaluation value based on a result of the extraction.
- The computer system according to claim 9, wherein the richness evaluation module is configured to:calculate a relevance degree indicating relevance of the cyber security information to each of the plurality of fields; andidentify the field based on the relevance degree of each of the plurality of fields.
- The computer system according to claim 10, wherein the value evaluation module is configured to select the cyber security information to be presented to a user based on the total evaluation value.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2021087011A JP2022180094A (en) | 2021-05-24 | 2021-05-24 | Computer system and evaluation method for cyber security information |
PCT/JP2022/006470 WO2022249588A1 (en) | 2021-05-24 | 2022-02-17 | Calculator system and cyber security information evaluation method |
Publications (1)
Publication Number | Publication Date |
---|---|
EP4350549A1 true EP4350549A1 (en) | 2024-04-10 |
Family
ID=84229821
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP22764988.6A Pending EP4350549A1 (en) | 2021-05-24 | 2022-02-17 | Calculator system and cyber security information evaluation method |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240104220A1 (en) |
EP (1) | EP4350549A1 (en) |
JP (1) | JP2022180094A (en) |
WO (1) | WO2022249588A1 (en) |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007058514A (en) * | 2005-08-24 | 2007-03-08 | Mitsubishi Electric Corp | Information processor, information processing method and program |
EP3132569A4 (en) * | 2014-04-18 | 2017-12-06 | EntIT Software LLC | Rating threat submitter |
WO2017100534A1 (en) * | 2015-12-11 | 2017-06-15 | Servicenow, Inc. | Computer network threat assessment |
US9747570B1 (en) * | 2016-09-08 | 2017-08-29 | Secure Systems Innovation Corporation | Method and system for risk measurement and modeling |
US10855713B2 (en) * | 2017-04-27 | 2020-12-01 | Microsoft Technology Licensing, Llc | Personalized threat protection |
US10855793B2 (en) * | 2017-09-25 | 2020-12-01 | Splunk Inc. | Proxying hypertext transfer protocol (HTTP) requests for microservices |
JP6933112B2 (en) | 2017-11-30 | 2021-09-08 | 富士通株式会社 | Cyber attack information processing program, cyber attack information processing method and information processing equipment |
JP7105096B2 (en) * | 2018-04-18 | 2022-07-22 | 株式会社日立システムズ | Threat information sharing system and method between multiple organizations |
CN110911151B (en) | 2019-11-29 | 2021-08-06 | 烟台首钢磁性材料股份有限公司 | Method for improving coercive force of neodymium iron boron sintered permanent magnet |
US20210320945A1 (en) * | 2020-04-10 | 2021-10-14 | AttackIQ, Inc. | Method for verifying configurations of security technologies deployed on a computer network |
US11757904B2 (en) * | 2021-01-15 | 2023-09-12 | Bank Of America Corporation | Artificial intelligence reverse vendor collation |
-
2021
- 2021-05-24 JP JP2021087011A patent/JP2022180094A/en active Pending
-
2022
- 2022-02-17 EP EP22764988.6A patent/EP4350549A1/en active Pending
- 2022-02-17 WO PCT/JP2022/006470 patent/WO2022249588A1/en active Application Filing
- 2022-02-17 US US17/912,030 patent/US20240104220A1/en active Pending
Also Published As
Publication number | Publication date |
---|---|
WO2022249588A1 (en) | 2022-12-01 |
US20240104220A1 (en) | 2024-03-28 |
JP2022180094A (en) | 2022-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11475143B2 (en) | Sensitive data classification | |
AU2019200055B2 (en) | Automated secure identification of personal information | |
CN108319630B (en) | Information processing method, information processing device, storage medium and computer equipment | |
US20200097601A1 (en) | Identification of an entity representation in unstructured data | |
US20090007272A1 (en) | Identifying data associated with security issue attributes | |
US20190073406A1 (en) | Processing of computer log messages for visualization and retrieval | |
US10565311B2 (en) | Method for updating a knowledge base of a sentiment analysis system | |
CN107357902A (en) | A kind of tables of data categorizing system and method based on correlation rule | |
CN101853277A (en) | Vulnerability data mining method based on classification and association analysis | |
CN110795568A (en) | Risk assessment method and device based on user information knowledge graph and electronic equipment | |
US9495639B2 (en) | Determining document classification probabilistically through classification rule analysis | |
US20190087384A1 (en) | Learning data selection method, learning data selection device, and computer-readable recording medium | |
US11531643B2 (en) | Computer system and method of evaluating changes to data in a prediction model | |
CN111586695B (en) | Short message identification method and related equipment | |
Tantithamthavorn et al. | Mining a change history to quickly identify bug locations: A case study of the eclipse project | |
CN114270391A (en) | Quantifying privacy impact | |
CN114118194A (en) | System and method for selecting learning model | |
US11308130B1 (en) | Constructing ground truth when classifying data | |
KR102365429B1 (en) | Online mobile survey platform using artificial intelligence to identify unfaithful respondents | |
US11544600B2 (en) | Prediction rationale analysis apparatus and prediction rationale analysis method | |
US20210271637A1 (en) | Creating descriptors for business analytics applications | |
CN102902705A (en) | Locating ambiguities in data | |
EP4350549A1 (en) | Calculator system and cyber security information evaluation method | |
KR101614551B1 (en) | System and method for extracting keyword using category matching | |
CN110737749B (en) | Entrepreneurship plan evaluation method, entrepreneurship plan evaluation device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20230320 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) |